Microsoft Is Deleting Its Users’ Passwords

The company wants you using passkeys.
December 23, 2024
 / 
meritsolutions
 / 
Image

Passwords have long been a security weak point. Too many of us reuse the same, simple passwords for many, most, or all of our accounts, which allows bad actors to break into our accounts all too easily. Big tech companies know this, and some, like Microsoft, are actively doing something about it.

As part of its plan to make its users more secure, Microsoft is officially deleting the passwords of a billion users. The company says it blocks 7,000 passwords attacks per second, which is nearly double the number of blocked attacks from this time last year. Adversary-in-the-middle attacks are also on the rise: Microsoft says these attacks have skyrocketed 146% year over year.

The company isn’t mincing words: “The password era is ending…bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.”

Microsoft isn’t deleting passwords without a plan to replace them. On the contrary, the company is going all-in on passkeys: Passkeys combine the convenience of a passwords saved to a password manager with the security of multi-factor authentication (MFA). The idea is this: When you create a passkey for your account, that key is tied to a trusted device, such as your PC. In order to use the passkey when logging into an account, you authenticate yourself on the trusted device, using a face scan, fingerprint scan, PIN—the same way you’d sign into your PC.

It’s more secure than using a password, as there’s nothing for a bad actor to steal: They need access to your trusted device, as well as the authentication method (face scan, fingerprint scan, etc.) in order to log into an account. Without that, breaking in is quite difficult. MFA achieves a similar level of security, since you need to authenticate yourself using a code sent to or generated on a trusted device. But bad actors devise tactics to trick you into sharing these codes, or steal them outright by exploiting insecurities with the SMS message protocol.

In short, passkeys are more secure than many forms of MFA, and are much more secure than using one password. That’s why Microsoft is not only pushing passkeys, but is aggressively campaigning to remove passwords from users’ accounts. The company wants to eliminate the redundancy of an account using both a passkey and a password, and keeping the password an option leaves the door open for bad actors to break in.

Share This

Leave a Reply



Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.